The Pitfalls of Standardized BYOD by
Donovan Griffin
Posted On April 8, 2014

In businesses around the world, 24-hour access to employees via phone has become the standard in workplace communication. Although the era dominated by company BlackBerries has largely gone by the wayside in favor of bringing your own device (BYOD), a return to corporately owned, personally enabled (COPE) devices is making a comeback in certain sectors. [See “BYOD or COPE: The Best Mobile Strategy for the Workplace” in the March 2014 issue of Information Today. —Ed.] As time goes on, however, most companies are going to have to grapple with employees using their own phones for business. According to a Cisco Systems, Inc. report, 89% of businesses currently have some sort of BYOD policy.

As with any widespread business strategy, BYOD is not without its pitfalls. While it may be cumbersome to handle both a work phone and a personal phone, the modern confluence of employees’ business and private phones carries with it a certain amount of risk.

“All of a sudden you have a whole bunch of phones that were not owned by the company, where there was no contract between the company and the employee as to how to use those phones or how to appropriately access company materials from those mobile devices,” says Doug Herman, managing director of the discovery services practice at UHY Advisors FLVS, Inc. “And so we now find ourselves in a situation where there is, in everyone’s pocket via the smartphone, a portal into potentially sensitive and very confidential company materials.”

The Growing Importance of Mobile

Herman’s work as managing director at UHY falls under two categories: digital forensics and electronic discovery. Digital forensics is, for the most part, the practice of finding out what’s been happening on a computer. The classic scenario, Herman says, is when an employee who has left his company is suspected of theft. Digital forensics investigators try to piece together a timeline of the incident from a forensic copy of the original computer’s hard drive by looking into deleted material and records of when thumb drives or other external media were accessed.

The e-discovery group takes advantage of the information that digital forensics gathers to produce data used in litigation, does upfront consulting with companies, and works with the legal team. UHY has been performing digital forensics and e-discovery for businesses for the past 10 years, says Herman, and he’s been with the company for 8 years himself. Just a few years ago, mobile devices represented perhaps 3%–4% of items UHY collected in e-discovery. But today those numbers are rapidly growing. “[I]f you look at the entire picture of laptops, desktop computers, and mobile devices, I think now mobile devices are probably making up 20%–25% of the actual devices that we are collecting in the context of litigation,” says Herman.

The major downside to having work materials on a personal phone is obvious. Losing a device means more than just a headache for the phone’s owner—it could be a potential security breach for his employer as well. Company secrets and personal health information alike could fall into the wrong hands, or a company might be forced to redo security measures every time an employee who downloaded a work app misplaces her iPhone.

And although the employee has the convenience of working from his own, familiar phone with BYOD, he too faces serious challenges. If something happens with the employee and his phone necessitating the services of digital forensics and e-discovery, the legalities begin to get dicey. “If you’ve got a mobile device out there that potentially has relevant materials that belongs to a company in the context of a litigation or investigation, you have a duty to preserve that device or preserve any materials off of it that may be relevant” to the employer, says Herman. “Well, how do you segregate that from that comingled device, where there are personal text messages, tweets, and whatnot that are purely personal, from the stuff that belongs to the company?”

Privacy and Freedom of Speech in a BYOD World

This sort of data privacy issue in BYOD isn’t a factor for companies until it becomes one. But when it does, it becomes an issue of the right to privacy for the employee. If the company needs to take a forensic copy of the user’s phone, for instance, where does the line dividing material accessible to company and material belonging solely to the employee lie?

There’s also the issue of free speech, according to Herman. Does a company have a right to secure its interests in the realm of social media on its employees’ phones? “If the device belongs to the company, that’s pretty clear cut. You can’t be tweeting derogatory messages about the company out from your company-owned phone,” he says. “But if it’s a personally owned phone, does an employee have a right to free speech and have the ability to say whatever they want wherever they want, even if it is about the company that they’re employed by?”

Many companies put plans together to govern the use of BYOD and head off such issues before they become a problem. The most important considerations to enforce, says Herman, are twofold. “There effectively needs to be some sort of contract between the employee [and employer] that says, ‘Hey look, you’re accessing company materials on your phone, we acknowledge that this is your own device, but because this company could be involved in a litigation or an investigation then we need to reserve the right to make copies of those materials to the extent that are necessary,’” says Herman. In addition, he notes, the company should employ technology that enforces certain behaviors similar to those used on company laptops with sensitive information, including mandatory passwords and login prompts after periods of disuse.

Additionally, companies may want to be on the conservative side when allowing employees to use ultra-new technology. Herman cautions that the forensics industry is a half-step behind the development of new tools, which may prove problematic in extracting information from a brand-new device should the need arise.

But in the end, if a company wants its BYOD program to survive, it’s better to be flexible. Gartner predictsthat by 2016, a full 20% of BYOD programs will fail due to management measures that are too restrictive. In either case, it’s clear that both employees and employers will face new issues while implementing BYOD, even if they don’t know it yet. “I think that the employees will really think twice about whether [they] should sign this contract and let the company have access to [their] mobile device, that’s really going to be a big contention point,” says Herman. “And frankly I don’t think that there are a lot of companies that have really grasped how they’re going to put a policy like that in place.”